9 Replies Latest reply: Apr 16, 2018 9:22 PM by numanali5555 RSS

ISE CPP & Posture Check


Hi Community,


I have a doubt over the below scenario how the policy flow works.


If an Endpoint have AnyConnect Agent(4.5) installed with Posture module (4.5) and Compliance Module(3.6) and on ISE we have configured Client provisioning Policy and Posture Policy checks with Mandatory Requirements for the same Agent.

When an Endpoint connects to the network will it go through Client provisioning Policy (or) It will only go for Posture Policy Check (or) both Policy checks will be done.



Second one : is it necessary to have Client provisioning policy on ISE. We are manually deploying Any connect Agent installation with Posture Module and Compliance Module along with Windows image installation.


Need helpful clarification

  • 1. Re: ISE CPP & Posture Check

    This TechNote has a good breakdown and illustration of how the Posture flow works for both Pre-2.2 and Post-2.2. You can see how the redirect to the Client Provisioning Policy is build into the overall Posture flow.

    Regardless of whether you pre-deploy the Posture agent via software management tools, ISE still does a check against the CPP to determine what agent it needs to check for (NAC Agent, AnyConnect, Temporal, etc) on the client.


    ISE posture style comparison for pre and post 2.2 - Cisco




  • 2. Re: ISE CPP & Posture Check

    Hi Gibbs,


    Thank you for he TechNote, I have Gone through the document, its very well explained.


    I have a doubt, in the Posture Flow for Pre-2.2.


    In Step 20 and 21 it states  Posture module is the one that Initiates Policy Server Detection by sending Probes and established Connection to the CPP.


    and in Step 26 its States that Posture Module Collects information about the system(OS Version, Installed Security products and their Definition Version) this collected information(Report) is sent to ISE.

    ISE makes the Endpoint Compliance Status decision based on the report. Till here every thing is well and good.


    My doubt is what is the use of "Compliance Module"  ?  also we use the Compliance Module while creating Posture policy.

    As posture module is the one that is collecting information and sending it to ISE.




  • 3. Re: ISE CPP & Posture Check

    Both are needed as part of the Posture function. The Posture module is essentially the agent and front-end, while the Compliance module mostly provides a library for the assessment and remediation of various 3rd-party products (e.g. anti-malware, patch management, disk encryption, etc.)


    Newer versions of the Compliance module typically add support for new vendor products or versions.

    You can see the support charts for the various versions of the Compliance Module here:

    Cisco Identity Services Engine - Compatibility Information - Cisco

  • 4. Re: ISE CPP & Posture Check

    Hi Gibbs,


    In the below possible scenarios how ISE determines posture status based on which condition.


    1.Both Client Provisioning and Posture Policies are present – The compliance status is determined based on the posture check


    2. Client Provisioning is missing and Posture Policy are Present - The compliance status is determined based on the posture check


    3.Client provisioning policy is present, Posture policy is missing - How Compliance status is determine for this

    (++ default Posture Status is set to Non-Complaint in Posture Setting)


    4. Both Client Provisioning and Posture Policies are missing. How Compliance status is determine 

    Here we have the following options:
    (++ default Posture Status(Administration -> System -> Settings -> Posture -> General Settings) is set to Non-Complaint       what will be the Status ?   


       (++ default client provisioning configuration (Administration -> System -> Settings -> Client provisioning, “Native Supplicant      Provisioning Policy Unavailable” option is set to “Apply defined authorization policy”).  what will be the Status ?


      (++ if we change “Native Supplicant Provisioning Policy Unavailable” to “Allow network access”) what will be the Status ?

  • 5. Re: ISE CPP & Posture Check

    To be honest, it's been a few years since I've tested these failure scenarios, so I'm not sure I can confidently answer these questions.

    hslai or chyps, are you able to help shed some light on these scenarios or point to documentation that does?

  • 6. Re: ISE CPP & Posture Check

    Hello Gibbs,
    In our environment user unlock the screen when they are off shift, so the same session will be there for the user as the endpoint  has not got disconnected from network.
    So, If a user doesn’t get disconnected from network how long ISE keep the Posture Status as Complaint in its database, as Posture lease is set to “ Perform Posture assessment every time a user connects to the network”

    As per the Cisco Document Posture Process is Launched in below Situations

    1) After Network Interface status (up/down)
    2) Default gateway change
    3) System restart

    In our Environment sometimes the above 3 situations will not match for more than a week or two, along with that Periodic Re-assessment is not configured, so how long ISE keep the posture status of an Endpoint, does ISE have any default Posture time for the Endpoints ?


    Thank you

  • 7. Re: ISE CPP & Posture Check

    if PRA is not configured, you can make use of the timeout in authorization profile to run the check again .

  • 8. Re: ISE CPP & Posture Check

    Since PRA is not configred. AS long as the radius Session stays up the posture session information stays the same and there is no change in state


    perhaps the device or nic is going to sleep.


    you need to look at the logs for a session change and perhaps get a DART file when it happens to debug further with tac

  • 9. Re: ISE CPP & Posture Check

    Thanks @Jason and Nidhi